Lazarus Group

Audio readout of this profile.

Overview

The Lazarus Group is the umbrella threat-intelligence-industry designation for the cluster of cyber-operational activity attributed broadly to North Korea's Reconnaissance General Bureau. It is the single exception in this site's elite-cyber-unit bestiary to the editorial convention of treating the institutional unit as the canonical entry and the threat-intelligence-industry label as the alias. The reason is institutional: the DPRK's internal cyber-operational architecture is genuinely diffuse across multiple subordinate bureaus and offices — Bureau 121, Lab 110, Bureau 180, Office 91, and additional sub-units — and the institutional attribution of any specific operation within that architecture is generally not crisply established in the public record. Where the GRU's Unit 26165 and Unit 74455 are institutionally distinct entities with publicly-attested addresses and named personnel, the DPRK's equivalent units are publicly less crisply individuated, and the "Lazarus Group" label has become the canonical referent across the forensic, journalistic, and indictment record in a way no single RGB sub-unit has.¹

Across the threat-intelligence industry the cluster is tracked under a substantial proliferation of vendor labels — Hidden Cobra (United States CISA), ZINC and then Diamond Sleet (Microsoft), Labyrinth Chollima (CrowdStrike) for the core cluster; APT38 and Stardust Chollima and Bluenoroff (CrowdStrike) for the financial-crime-focused sub-cluster; APT37 and Reaper and ScarCruft (Microsoft: tracked separately) for the South-Korean-focused intelligence-collection sub-cluster; APT43 and Kimsuky and Velvet Chollima and Black Banshee and Thallium → Emerald Sleet (Microsoft) for the academic-and-think-tank-focused sub-cluster. Whether to treat these sub-clusters as separate entities or as functional specialisations within a unified Lazarus umbrella is contested across vendor taxonomies. See APT designation for the naming-conventions context.²

The Lazarus name itself derives from Novetta Solutions' 2016 Operation Blockbuster research consortium — a joint security-research effort led by Novetta with participation from Kaspersky Lab, AlienVault, Symantec, Invincea, and several additional firms — that produced the first major public technical synthesis of the cluster's tooling, infrastructure, and operational history. The name was chosen for the cluster's documented practice of resurrecting old tooling families and operational tradecraft for use in new operations across a long operational period.³

History & Origins

The publicly-attested Lazarus operational footprint begins approximately 2009 with the Operation Troy series of intrusions and denial-of-service operations against South Korean government, financial, and media targets — operations that subsequently were reconstructed by the Operation Blockbuster consortium as the foundational operational record of the Lazarus cluster. The institutional attribution to the DPRK's RGB-era cyber apparatus rests on the operational-tooling lineage, the operational-targeting pattern, the operator working-hours analysis (consistent with the Pyongyang time zone), language-acquisition operational artefacts in the tooling, and ultimately on the United States Government attribution statements and subsequent indictments.⁴

Operational footprint (documented)

The Lazarus cluster's documented operational footprint is the most extensive of any single DPRK-attributed cyber actor and substantially the entire DPRK-attributed cyber-operational history:

Operation Troy and the 2009–2013 South Korean campaigns. The foundational Lazarus operational record: sustained denial-of-service operations against South Korean government and financial-sector targets (the July 2009 attacks against approximately 35 South Korean and United States government websites), the DarkSeoul destructive attacks of March 2013 against South Korean banking and media organisations (which wiped approximately 32,000 systems across the affected institutions), and the subsequent April 2013 follow-on attacks. Reconstructed in the Operation Blockbuster joint research report and in subsequent successive South Korean National Intelligence Service public assessments.⁵

The 2014 Sony Pictures Entertainment intrusion. The November 2014 intrusion and destructive operation against Sony Pictures Entertainment in retaliation for the studio's planned release of The Interview. United States Federal Bureau of Investigation attribution to North Korea in December 2014; United States Department of Justice indictment of Park Jin-Hyok in September 2018 specifically naming the Sony intrusion as one of the operations.⁶

The 2016 Bangladesh Bank theft. The February 2016 intrusion of Bangladesh Bank's SWIFT-system infrastructure and the attempted exfiltration of approximately $951 million via fraudulent SWIFT messages to the Federal Reserve Bank of New York. Approximately $81 million was successfully transferred to Philippine bank accounts before the operation was disrupted; most of the disrupted amount was recovered. The operation is the canonical documented Lazarus financial-crime case and the foundational case for the APT38 sub-cluster designation. United States Department of Justice attribution in the September 2018 indictment.⁷

The 2017 WannaCry ransomware outbreak. The 12 May 2017 global ransomware outbreak — using the leaked NSA EternalBlue exploit for lateral movement, affecting approximately 200,000 systems across 150 countries including the United Kingdom National Health Service, Spanish telecommunications operator Telefónica, French automaker Renault, and a substantial population of further victims. Joint United States and United Kingdom government attribution to North Korea in December 2017.⁸

Sustained cryptocurrency-exchange operations (2017 onward). Sustained operations against international cryptocurrency-exchange infrastructure across the post-2017 period, generating approximately several billion United States dollars in illicit revenue. Major documented operations include: the 2018 Coincheck theft (~$534M), the 2018 Bithumb theft (~$31M), the 2020 KuCoin theft (~$281M), the 2022 Ronin Network theft (~$625M, the largest crypto-exchange theft in history), the 2022 Harmony Bridge theft (~$100M), and the 2023 Atomic Wallet theft (~$100M). The cryptocurrency-theft programme is reconstructed in successive Chainalysis annual Crypto Crime Reports, United Nations Security Council Panel of Experts annual reports, and Department of Treasury Office of Foreign Assets Control sanctions designations.⁹

Sustained intelligence-collection operations against United States, South Korean, and Japanese targets. Across the post-2010 period the APT37 / Reaper and APT43 / Kimsuky sub-clusters have conducted sustained collection against defence-industrial, government, academic, and think-tank targets in the affected states — substantially focused on policy-and-academic communities working on DPRK-related questions, on missile-and-nuclear-development-related research, and on sanctions-monitoring programmes.¹⁰

Ransomware operations against United States health-care infrastructure (2020–2024). The August 2024 United States DOJ indictment of Rim Jong Hyok specifically named Lazarus-attributed ransomware operations against United States hospitals and health-care infrastructure across the COVID-19 period and after, including the May 2021 ransomware attack against a Kansas hospital that disrupted patient-care operations.¹¹

Attribution and standing

The United States Department of Treasury's September 2019 sanctions designations of three Lazarus sub-cluster entities — Lazarus Group, Bluenoroff (the financial-crime sub-cluster, broadly equivalent to APT38), and Andariel (the destructive-operations sub-cluster) — under Executive Order 13722 represented the first sanctions designation of DPRK cyber elements by name. The September 2019 designations specifically attribute the named entities to "the Reconnaissance General Bureau."¹²

The Lazarus institutional standing as a publicly-named threat actor is established across the United Nations Security Council Panel of Experts reports, the United States DOJ indictments (September 2018, February 2021, August 2024), Treasury OFAC sanctions designations (multiple), and joint Five Eyes attribution statements. The cluster is the most-extensively publicly-documented DPRK cyber actor.¹³

See also

• Reconnaissance General Bureau — parent service (umbrella attribution)
• Bureau 121 — one publicly-attested RGB sub-unit; sibling entry to this one in the bestiary
• APT designation — the naming-conventions context, including the specific discussion of the Lazarus exception case
• NSA TAO — origin of the EternalBlue exploit weaponised in the WannaCry outbreak
• NotPetya — the GRU Unit 74455 operation that weaponised EternalBlue six weeks after WannaCry

Sources & Further Reading

1. United States Department of Treasury, Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups (13 September 2019) — the sanctions designations that established Lazarus / Bluenoroff / Andariel as publicly-named entities; United States DOJ Park Jin-Hyok indictment, op. cit. (September 2018); United Nations Security Council Panel of Experts annual reports.
2. Microsoft Threat Intelligence naming convention, including the Sleet family for DPRK-attributed clusters; CrowdStrike Global Threat Report series for the Chollima family; Mandiant APT38, APT37, APT43 technical reports.
3. Novetta Solutions, Operation Blockbuster joint research report (February 2016) — the original Lazarus-cluster public technical synthesis.
4. Operation Blockbuster, op. cit.; Kaspersky Lab and Symantec contemporaneous and subsequent technical analyses.
5. Operation Blockbuster, op. cit.; South Korean National Intelligence Service public assessments (multi-year).
6. FBI Statement on Sony Pictures Investigation, op. cit. (December 2014); United States v. Park Jin-Hyok, Indictment (September 2018).
7. United States v. Park Jin-Hyok, op. cit.; Bank for International Settlements Committee on Payments and Market Infrastructures, Cyber resilience in financial market infrastructures (June 2018) — institutional analysis of the Bangladesh Bank operation and the SWIFT-system intrusion-class.
8. United Kingdom NCSC joint UK-US attribution of WannaCry to North Korea (19 December 2017).
9. Chainalysis, Crypto Crime Report annual series (2018–2024); United Nations Security Council Panel of Experts annual reports (op. cit.); Department of Treasury OFAC sanctions designations of Lazarus-affiliated cryptocurrency-mixer infrastructure (Tornado Cash August 2022; Sinbad November 2023).
10. Mandiant, APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (March 2023); FireEye / Mandiant APT37 — The Reaper Group technical report (February 2018); Trend Micro Research on DPRK academic-targeting clusters (multi-year).
11. United States v. Rim Jong Hyok, op. cit. (August 2024).
12. Department of Treasury, Treasury Sanctions, op. cit.
13. DOJ indictments (multi-year); Treasury OFAC sanctions designations (multi-year); United Nations Panel of Experts reports (op. cit.); Andy Greenberg, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency (Doubleday, 2022), Chapter on the Lazarus crypto-theft programme.